XenMobile Packet Flow
-
Upload
nuno-alves -
Category
Technology
-
view
3.647 -
download
3
description
Transcript of XenMobile Packet Flow
XenMobile Packet Flow | Citrix MPG Marketing
XenMobile Packet Flow
Citrix Systems, Inc. © 2013 Page 1 of 10
Contents
Introduction............................................................................................................................................. 1
Authentication Sequence with Access Gateway.....................................................................................2
MDM Enrollment Sequence iOS.............................................................................................................3
MDM Enrollment Sequence Android.......................................................................................................4
External Access Sequence to XMA........................................................................................................5
Internal Access Sequence to AppController...........................................................................................7
Citrix Systems, Inc. © 2013 Page 2 of 10
Introduction
The purpose of this document is to illustrate a high level overview of the traffic flow between Enroll / Worx Home / Receiver, Netscaler, XenMobile Device Manager, and XenMobile AppController.
The AppController sequence assumes that the environment has the following constraints:
1. NetScaler: Is Deployed in the DMZ Has access to Active Directory on port 389 or 636 Has access to XMA on port 443 and 80
2. AppController: Has access to Active Directory on port 389 or 636
3. Users: Have mobile devices that are connected to an external network (Wifi/3or4G) and can commu-
nicate directly with XMA on port 443 and 80
The MDM sequence for Android does not require an APNS certificate or a Developer Account. They are exclusively for iOS.
Citrix Systems, Inc. © 2013 Page 1 of 10
Authentication Sequence with Access Gateway
1. User connects to Access Gateway
2. Access Gateway prompts the user to authenticate
3. User enters their Active Directory credentials
4. Access Gateway takes the users credentials and verifies them with Active Directory
5. Active Directory responds with an authentication successful message
6. Access Gateway creates a token SSOs to XMA
7.XMA extracts the users credentials from the token and uses them to verify the user with Active Directory
8. Active Directory responds with an authentication successful message
9. XMA now makes a callback to Access Gateway to verify that the request initiated from there
10. Callback succeeds and the apps are enumerated
Citrix Systems, Inc. © 2013 Page 2 of 10
MDM Enrollment Sequence iOS
Step From To Protocol Port Description
1. Mobile Device
Apple App Store
HTTP443 (80?)
User downloads and installs Citrix Enroll on their mobile device
2. Enroll XDMHTTPS / SSL
443 User enter credentials
3. Enroll XDMHTTPS / SSL / DNS
8443
If domain is specified in the user dialog, the Worx Home app will verify the Citrix NOC discover.mdm.zenprice.com to verify if XDM server is registered for the domain
4. Enroll XDM HTTP 8443If not found, user is prompted for XDM server name (FQDN).
5. Enroll XDM HTTP 8443 If found, user is prompted for password
6. XDM LDAP serverLDAP / LDAPS
389 / 636 / 3289
User credentials are verified against LDAP server
7. Enroll XDM SSL 8443If successful, device is connected through a persistent, long-lived HTTPS connection (Root CA and MDM profile)
8. XDM LDAP serverLDAP / LDAPS
389 / 636 / 3289
XDM server verified user group membership against LDAP server
9. XDM Enroll SSL 8443User must accept profiles pushed down to the user via HTTPS connection to server (Root CA and MDM profile)
10. XDM APNS APNS 2195 XDM server initiates connection to APNS network to tell the device to wake up
11. APNS Enroll SSL 5223
12. Enroll XDMHTTPS / SSL
443XDM server tells device to call home to the XDM server
13. XDM APNS APNS 2196XDM server requests acknowledgement of acceptance and status of request via APNS network
14. XDM Worx HomeHTTPS / SSL
443Based on AD group membership, policies, applications and files are pushed to the device thru the HTTPS connection
15. XDM APNS APNS 2196XDM server requests acknowledgement of acceptance and status of request via APNS network
Citrix Systems, Inc. © 2013 Page 3 of 10
MDM Enrollment Sequence Android
Step From To Protocol Port Description
1. Mobile Device
Google Play Store
HTTP 80User downloads and installs Citrix Worx Home on their mobile device
2. Worx Home XDMHTTP / HTTPS / SSL
443 User enter credentials
3. Worx Home XDM
HTTP / HTTPS / SSL / DNS
443 / 53
If domain is specified in the user dialog, the connect app will verify the Citrix. NOC discover.mdm.zenprise.com to verify if XDM server is registered for the domain
4. Worx Home XDMHTTP / HTTPS / SSL
443If not found, user is prompted for XDM server name (FQDN). No HTTPS:// needed in server-name.
5. Worx Home XDMHTTP / HTTPS / SSL
443 If found, user is prompted for password
6. XDM LDAP serverLDAP / LDAPS
389 / 636 / 3289
User credentials are verified against LDAP server
7. Worx Home XDMHTTP / HTTPS / SSL
443If successful, device is connected through a persistent, long-lived HTTPS connection
8. XDM LDAP serverLDAP / LDAPS
389 / 636 / 3289
XDM server verified user group membership against LDAP server
9. XDM Worx HomeHTTPS / SSL
443Based on AD group membership, policies, applications and files are pushed to the device through the HTTPS connection
10. XDM Worx HomeHTTP / HTTPS / SSL
Any port
Geo Locate is requested to the device through the persistent HTTPs connection from the server to the device
11. No network activityThe device attempts to obtain a GPS lock via the onboard GPS chip. The user must have location service enabled for this to work
12. Worx Home XDMHTTPS / SSL
443If the device retrieves a lock, it sends the request back to the XDM. XDM does NOT do cell tower location
13. XDM Worx HomeHTTPS / SSL
443Wipe of the device is sent from the server to the device via the HTTPS connection initiated by the device
14. Worx Home XDMHTTP / HTTPS / SSL
Any port
The Worx Home app verifies that command was received via the HTTPS connection, ensure the server received the acknowledgement and wipes the device
Citrix Systems, Inc. © 2013 Page 4 of 10
External Access Sequence to XMA
Step From To Protocol Port Description
1. Mobile Device
Apple App Store
HTTP 80User downloads and installs Receiver on their mobile device
2. ReceiverAccess Gateway
HTTPS / SSL
443User clicks Add Account and connects to Access Gateway
3. Access Gateway
ReceiverHTTPS / SSL
443Access Gateway (AG) verifies that the user is requesting a valid resource and then prompts the user to authenticate
4. ReceiverAccess Gateway
HTTPS / SSL
443User authenticates using their AD credentials (and OTT if it exists)
5. Access Gateway
Active Directory
LDAP / LDAPS
389 / 636
AG verifies credentials by checking with AD
6. Access Gateway
XMAHTTPS / SSL
443 AG creates a token and SSOs to XMA
7. XMAActive Directory
LDAP / LDAPS
389 / 636
XMA uses the token to authenticate the user against Active Directory
8. XMA Access Gateway
HTTPS / SSL
443XMA then makes a callback to AG to verify that the authentication request originated at AG
9. Receiver XMAHTTPS / SSL
443If the authentication is successful, Receiver then makes a GET request for the store information (.cr file)
10. XMA ReceiverHTTPS / SSL
443XMA validates the endpoint, registers the device (Receiver), pushes down the .cr file
11. XMAActive Directory
HTTPS / SSL
389 / 636 / 443
XMA checks that the user belongs to the correct role i.e group in AD and sends the list of resources (app icons for each resource) down to the Receiver
12. XMA ReceiverHTTPS / SSL
443
13. Receiver XMAHTTPS / SSL
443User subscribes to a resource such as a native mobile app
14. XMA Receiver HTTP 80XMA makes note of this subscription and then sends down the app to the mobile device
15. Receiver XMAHTTPS / SSL
443User subscribes to a Web/SaaS SSO (Formfill) application
16. XMA ReceiverHTTPS / SSL
443XMA makes note of this subscription and then prompts the user to provide Web/SaaS application credentials
17. Receiver XMAHTTPS / SSL
443 XMA saves credentials in its local database
Citrix Systems, Inc. © 2013 Page 5 of 10
18. XMA ReceiverHTTPS / SSL
443XMA issues a redirect to the endpoint device with the required form
19. Receiver ApplicationHTTPS / SSL
443Endpoint submits the token to the Web/SaaS application and is signed on
20. Receiver XMAHTTPS / SSL
443User subscribes to a Web/SaaS SSO (SAML) application
21. XMA ReceiverHTTPS / SSL
443 XMA makes note of this subscription
22. XMA XMAHTTPS / SSL
443XMA saves Web/SaaS app username in its local database
23. XMA ReceiverHTTPS / SSL
443XMA issues a SAML token with a redirect to the endpoint device
24. Receiver ApplicationHTTPS / SSL
443Endpoint submits the token to the Web/SaaS application and is signed on
Citrix Systems, Inc. © 2013 Page 6 of 10
Policies, apps, and file
Internal Access Sequence to XMA
Step From To Protocol Port Description
1. Mobile Device
XMA HTTP 80User downloads and installs Receiver on their mobile device
2. Receiver XMAHTTPS / SSL
443 User clicks Add Account and connects to XMA
3. XMA ReceiverHTTPS / SSL
443XMA verifies that the user is requesting a valid resource and then prompts the user to authenticate
4. Receiver XMAHTTPS / SSL
443User authenticates using their AD credentials against Active Directory
5. XMAActive Directory
LDAP / LDAPS
389 / 636
6. Receiver XMAHTTPS / SSL
443If the authentication is successful, Receiver requests for the store information (.cr file)
7. Receiver XMAHTTPS / SSL
443XMA validates the endpoint, registers the device (Receiver), and pushes down the .cr file
8. XMAActive Directory
HTTPS / SSL
389 / 636 / 443 XMA verifies the user’s role group in AD and sends
a list of resources to the Receiver9. XMA Receiver
HTTPS / SSL
443
10. Receiver XMA HTTP 80User subscribes to a resource such as a native mobile app
11. XMA Receiver HTTP 80XMA makes note of this subscription and then sends down the app to the mobile device
12. Receiver XMAHTTPS / SSL
443User subscribes to a Web/SaaS SSO (Formfill) application
13. XMA ReceiverHTTPS / SSL
443XMA makes note of this subscription and then prompts the user to provide Web/SaaS application credentials
14. Receiver XMAHTTS / SSL
443 XMA saves credentials in its local database
15. XMA ReceiverHTTPS / SSL
443XMA issues a redirect to the endpoint device with the required form
16. Receiver ApplicationHTTPS / SSL
443Endpoint submits the token to the Web/SaaS application and is signed on
Citrix Systems, Inc. © 2013 Page 7 of 10
17. Receiver XMAHTTPS / SSL
443User subscribes to a Web/SaaS SSO (SAML) application
18. XMA ReceiverHTTPS / SSL
443 XMA makes note of this subscription
19. XMA XMAHTTPS / SSL
443XMA saves Web/SaaS app username in its local database
20. XMA ReceiverHTTPS / SSL
443XMA issues a SAML token with a redirect to the endpoint device
21. Receiver ApplicationHTTPS / SSL
443Endpoint submits the token to the Web/SaaS application and is signed on
Citrix Systems, Inc. © 2013 Page 8 of 10